A warning has been issued by The Sandbox, a blockchain-based metaverse startup, addressing a potential security compromise.
In a statement published on the firm’s blog on March 2, the company said that an unauthorized third party had accessed an employee’s computer and sent a bogus email to the platform’s users.
After discovering the security compromise, the firm warned users, alerting them to the possibility of phishing attempts and instructing targeted users “not to open, play, or download anything from the website.”
In addition, it was suggested that users change their passwords, activate two-factor authentication, and refrain from clicking on any links that seemed to be suspicious.
How the phishing was being executed
The phishing email, received on Feb. 26 and with the subject line “The Sandbox Game (PURELAND) Access,” included links that, if a user clicked on them, would cause malware to be installed on their machine. This virus would provide third-party control over the user’s computer, providing access to the user’s private information and administrative privileges.
The firm has indicated that the third party could not access any other services or accounts of The Sandbox and that they only had access to one employee’s computer. According to the statement made by the firm, the only data the attacker was able to access were the email addresses of The Sandbox users.
What is Sandbox doing?
The project has swiftly resolved the problem, alerting anyone who may have received the bogus email, restricting the employee’s accounts and access, and resetting all linked passwords using two-factor authentication.
The organization also said that it is striving to strengthen its security rules and processes and that the employee’s laptop has been reset.
It’s the latest in a series of hacks and phishing efforts through email that has targeted cryptocurrency users. Namecheap, a company that registers domain names, recently had its email system hacked, leading to a broad phishing effort that encouraged cryptocurrency wallet upgrades.
Specific phishing email campaigns have been successful in helping hackers steal substantial quantities of money. For example, in February 2022, a malicious actor looted nearly $2 million worth of NFTs from OpenSea customers by persuading them to sign a fraudulent transaction delivered through an email link.